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stores  or  developer  websites.  Unfortunately,  few  of  these  applications  provide  the  required  level  of  security  to  protect  the  sensitive, 
potentially  mission  critical  data  that  they  access  and  store.  Furthermore,  while  the  major  mobile  device  manufactures  have  given  much  lip 
service  to  security  for  their  respective  platforms,  all  currently  fall  way  short  of  providing  the  robust  security  controls  required  to  securely 
operate  these  devices  in  a  tactical  or  other  mission  critical  environment.  This  issue  is  under  scored  by  the  fact  that  no  DoD  accreditation 
authority  has  yet  to  accredit  and  authorize  the  use  of  any  commercial  mobile  devices  in  a  tactical  environment  despite  the  need  and  demand 
for  the  capabilities  that  such  devices  provide  for  the  warfighter. 
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Scientific  Progress 

Our  research  was  integrated  in  the  Secure  Android  platform  developed  for  DARPA’s  Transformative  Apps  program,  and  had  to 
be  aligned  with  the  program’s  research  and  experimentation  schedule.  Within  those  constraints,  this  section  highlights  the  key 
research  results  we  achieved  against  our  proposed  work  plan. 

Tasks  1  &  2:  SBU  Wireless  Comms  (R  &  D,  ImpI  &  Support) 

Unfortunately,  the  SBU  Wireless  communication  research  on  the  Transformative  Apps  program  was  delayed.  Once  the  initial 
framework  was  in-place,  we  had  expended  all  of  our  initial  funding  on  this  effort  researching  other  tasks.  We  did  however, 
leverage  our  Phase  II  research  to  inform  the  design  of  the  SBU  wireless  architecture,  adding  the  requirement  that  the  Android 
HH  device  only  connect  to  wireless  networks  that  it  is  able  to  interrogate  and  identify  as  a  valid,  approved  network. 

Task  3:  Handheld  Security  Stack 

We  successfully  transitioned  our  Phase  II  authentication  research  into  multiple  facets  of  the  Android  security  stack  on  the 
Transformative  Apps  program.  The  data-at-rest  and  zeroization  functionality  is  provided  by  a  native  service  on  the  Android 
device  that  interfaces  with  both  a  logon  program  (large  keyboard)  and  a  zeroization  program  that  can  be  launched  by  users  in 
the  event  of  a  device  compromise.  To  prevent  against  denial-of-service  by  potential  rogue  applications,  we  implemented  a 
challenge/response  protocol  within  this  native  service  to  ensure  that  only  authorized  apps  can  call  those  services.  Additionally, 
to  control  which  applications  are  allowed  on  the  device,  we  extended  the  existing,  non-secure  Android  signature  verification 
with  a  more  robust  challenge  mechanism  in  which  the  Android  Package  Manager  queries  an  application’s  manifest  for  specific 
information  that  could  only  be  supplied  by  a  program  authorized  mobile  app.  This  capability  has  facilitated  experimentation  in 
Afghanistan,  where  the  potential  utility  of  different  apps  is  evaluated.  Our  challenge/response  mechanism  has  allowed  for 
temporary  (i.e.  one  week)  endorsement  of  apps  for  evaluation.  Finally,  as  well  be  described  below,  we  added  active  challenge 
mechanisms  to  the  USB  stack  on  the  Android  handheld  device. 

Task  4:  Laptop  Security  Stack 

The  most  fruitful  transition  of  the  Phase  II  research  was  in  securing  the  USB  connection  between  the  tactical  handheld  device 
and  a  laptop  computer.  Figure  1  below  illustrates  stock,  unmodified  USB  communications  between  and  Android  handheld 
device  and  Windows  PC. As  can  be  seen,  there  is  no  authentication  built  into  the  communications  mechanisms,  allowing  for  the 
free  exchange  of  (potentially  sensitive)  data  between  any  Windows  PC  and  any  Android  device  either  through  USB  Mass 
Storage  or  over  the  Android  Debug  Bridge  (ADB)  protocol.  The  only  safeguards  are  user  supplied  settings  and  interactions  on 
the  Android  device  to  enable  these  protocols. 

For  this  effort,  we  applied  the  active  challenge  approach  developed  in  Phase  II  to  the  problem  of  USB  mutual  authentication, 
ensuring  that  data  can  only  be  exchanged  between  authorized  Windows  PC’s  and  authorized  Android  handheld  devices.  Figure 
2  below  illustrates  the  modifications  we  made  to  the  USB  communications  stack  under  this  effort. 
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Problem  Statement 


With  the  pervasiveness  of  high-speed  wireless  Internet  access,  robust  computing  power,  and  an  endless 
stream  of  new  mobile  apps  in  the  Android  Marketplace  and  Apple  App  Store,  mobile  wireless  devices 
are  now  the  go-to  computing  device  for  a  myriad  of  users  including  the  warfighter.  Commercial 
enterprises  and  the  military  alike  are  now  facing  the  reality  that  these  devices  are  not  only  being  brought 
into  and  connected  to  sensitive  networks,  but  are  also  being  used  for  legitimate  commercial  business, 
work  flow,  and  military  mission  applications.  These  new  hand-held  devices  are  capable  of  carrying 
significant  amount  of  sensitive  data.  Not  surprisingly,  these  devices  are  starting  to  become  a  prime  target 
for  those  wishing  to  gain  unauthorized  access  to  such  information. 

Most  hand-held  mobile  devices  today  are  equipped  with  a  phone,  web  browser,  music  player,  camera, 
and  a  horde  of  other  applications  and  services.  Google  Android,  NeoFreeRunner,  Nokia  Maemo,  iPhone 
OS  and  Windows  Phone  OS  are  noteworthy  hand-held  device  platforms  capable  of  performing  most  of 
the  functions  previously  found  only  in  full-fledged  desktop  operating  systems.  Usability  of  such  devices  is 
further  increased  by  the  availability  of  third-party  applications  that  can  be  purchased  or  freely 
downloaded  by  users  from  online  application  stores  or  developer  websites.  Unfortunately,  few  of  these 
applications  provide  the  required  level  of  security  to  protect  the  sensitive,  potentially  mission  critical 
data  that  they  access  and  store.  Furthermore,  while  the  major  mobile  device  manufactures  have  given 
much  lip  service  to  security  for  their  respective  platforms,  all  currently  fall  way  short  of  providing  the 
robust  security  controls  required  to  securely  operate  these  devices  in  a  tactical  or  other  mission  critical 
environment.  This  issue  is  under  scored  by  the  fact  that  no  DoD  accreditation  authority  has  yet  to 
accredit  and  authorize  the  use  of  any  commercial  mobile  devices  in  a  tactical  environment  despite  the 
need  and  demand  for  the  capabilities  that  such  devices  provide  for  the  warfighter. 

Summary  of  Results 

Our  research  was  integrated  in  the  Secure  Android  platform  developed  for  DARPA’s  Transformative 
Apps  program,  and  had  to  be  aligned  with  the  program’s  research  and  experimentation  schedule.  Within 
those  constraints,  this  section  highlights  the  key  research  results  we  achieved  against  our  proposed 
work  plan. 

Tasks  I  &  2:  SBU  Wireless  Comms  (R  &  D,  ImpI  &  Support) 

Unfortunately,  the  SBU  Wireless  communication  research  on  the  Transformative  Apps  program  was 
delayed.  Once  the  initial  framework  was  in-place,  we  had  expended  all  of  our  initial  funding  on  this  effort 
researching  other  tasks.  We  did  however,  leverage  our  Phase  II  research  to  inform  the  design  of  the 
SBU  wireless  architecture,  adding  the  requirement  that  the  Android  HH  device  only  connect  to  wireless 
networks  that  it  is  able  to  interrogate  and  identify  as  a  valid,  approved  network. 

Task  3:  Handheld  Security  Stack 

We  successfully  transitioned  our  Phase  II  authentication  research  into  multiple  facets  of  the  Android 
security  stack  on  the  Transformative  Apps  program.  The  data-at-rest  and  zeroization  functionality  is 
provided  by  a  native  service  on  the  Android  device  that  interfaces  with  both  a  logon  program  (large 
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keyboard)  and  a  zeroization  program  that  can  be  launched  by  users  in  the  event  of  a  device 
compromise.  To  prevent  against  denial-of-service  by  potential  rogue  applications,  we  implemented  a 
challenge/response  protocol  within  this  native  service  to  ensure  that  only  authorized  apps  can  call  those 
services.  Additionally,  to  control  which  applications  are  allowed  on  the  device,  we  extended  the  existing, 
non-secure  Android  signature  verification  with  a  more  robust  challenge  mechanism  in  which  the 
Android  Package  Manager  queries  an  application’s  manifest  for  specific  information  that  could  only  be 
supplied  by  a  program  authorized  mobile  app.  This  capability  has  facilitated  experimentation  in 
Afghanistan,  where  the  potential  utility  of  different  apps  is  evaluated.  Our  challenge/response  mechanism 
has  allowed  for  temporary  (i.e.  one  week)  endorsement  of  apps  for  evaluation.  Finally,  as  well  be 
described  below,  we  added  active  challenge  mechanisms  to  the  USB  stack  on  the  Android  handheld 
device. 

Task  4:  Laptop  Security  Stack 

The  most  fruitful  transition  of  the  Phase  II  research  was  in  securing  the  USB  connection  between  the 
tactical  handheld  device  and  a  laptop  computer.  Figure  I  below  illustrates  stock,  unmodified  USB 
communications  between  and  Android  handheld  device  and  Windows  PC. 


Figure  1  Standard  Android  USB  Communication 

As  can  be  seen,  there  is  no  authentication  built  into  the  communications  mechanisms,  allowing  for  the 
free  exchange  of  (potentially  sensitive)  data  between  any  Windows  PC  and  any  Android  device  either 
through  USB  Mass  Storage  or  over  the  Android  Debug  Bridge  (ADB)  protocol.  The  only  safeguards  are 
user  supplied  settings  and  interactions  on  the  Android  device  to  enable  these  protocols. 

For  this  effort,  we  applied  the  active  challenge  approach  developed  in  Phase  II  to  the  problem  of  USB 
mutual  authentication,  ensuring  that  data  can  only  be  exchanged  between  authorized  Windows  PC’s  and 
authorized  Android  handheld  devices.  Figure  2  below  illustrates  the  modifications  we  made  to  the  USB 
communications  stack  under  this  effort. 


Figure  2  USB  Mutual  Authentication 

As  can  be  seen,  we  first  focused  on  narrowing  the  communications  protocols  allowed  over  USB.  Rather 
than  leveraging  the  un-vetted,  vendor  supplied  ADB  USB  transport,  we  instead  focused  on  using  USB 
Mass  Storage  as  our  transport  mechanism.  When  a  hardened  Android  device  is  connected  to  a 
Windows  PC,  it  appears  as  an  empty,  read-only  USB  drive.  At  the  transport  layer,  we  built  in  an  active 
challenge  mechanism  through  the  use  of  SCSI-generic  vendor  commands  that  are  part  of  the  USB  Mass 
Storage  specification.  Through  a  series  of  specialized  commands  that  only  authorized  devices  know,  an 
initial  connection  is  made.  Once  the  devices  are  connected,  we  then  perform  two  additional 
authentication  steps.  The  first  is  a  cryptographic  mutual  authentication,  using  the  FIPS  196  Public  Key 
Entity  Authentication  protocol,  where  each  device  (PC  and  handheld)  generate,  encrypt  and  sign 
challenge  problems  and  exchange  them.  The  certificates  and  private  keys  are  bound  to  each  device 
through  unique  hardware  identification  mechanisms  and  validated  to  ensure  that  keys  were  not  copied 
to  an  authorized  device.  Once  the  devices  have  authenticated  cryptographically,  the  Android  handheld 
then  puts  out  a  password  challenge,  requiring  the  user  on  the  PC  to  enter  the  device’s  lockscreen 
password.  If  all  authentications  pass  successfully,  the  devices  can  then  begin  exchanging  data  via  the  USB 
connection. 

Task  5:  Handheld  Provisioning 

To  support  the  ongoing  Transformative  Apps  experiments  and  pilots  in  Afghanistan,  we  transitioned  the 
active  challenge  approach  developed  in  Phase  II  to  the  secure,  mass  provisioning  of  Android  handheld 
devices.  The  existing  approach  relied  on  techniques  developed  by  the  Android  community  to  backup 
and  restore  Android  devices  through  the  recovery  software  mechanism.  Basically,  one  Android  device 
was  built  and  configured,  and  then  cloned  onto  additional  devices  to  be  fielded.  As  part  of  this  effort, 
we  enhanced  that  approach,  building  in  cryptographic  challenges  into  the  back-up  files  themselves,  along 
with  modifying  the  recovery  software  on  the  Android  device  to  trigger  these  responses.  This  approach 
ensures  that  only  authorized  Android  back-ups  produced  by  the  Transformative  Apps  team  can  be 
restored  onto  a  handheld  device. 


